Hi I want to run a file upload service but worry about some matters 1. if someone uploads a php file, can he read my other files? if I have config files with database details, then they can easily hack my site ! ??? any suggestions?
You need to restrict the file types to thing that can not harm your site or server. All executables must be in a zipped file at a minimum.
That covers most of the ones that I know. I'm sure we both missed a couple. If you are just going to run an upload service ban everything that is not zipped. If it isn't filename.zip you don't take it.
Requiring certain extensions is a good start and definitely worthwhile implementing but not completely secure. If an attacker uploads a PHP script with a .jpg extension and then finds a local file inclusion vulnerability on your site he can include the PHP code stored in his .jpg file in one of your scripts. This means that a local file inclusion vulnerability, which is not usually enough to gain control of a site, has been escalated to a full takeover thanks to being able to upload PHP with a .jpg extension. In addition to enforcing the file extension, you should also check the mime-type of any uploaded files and reject them if they aren't one of a specific list.